Learn something new every day
More Info... by email
File carving is a technique used in computer forensics to extract a formatted file or data from a disk drive or other storage device without the assistance of the filesystem that originally created the file. There are a number of different methods and algorithms that can be used, but the process essentially involves scanning through the data that are available on a storage device and then, in one way or another, checking to see if that information is a file or contains some predefined information of importance. A filesystem is not present during the process of file carving, so all the information on a disk needs to be evaluated for its context, meaning that the process can take a long time and, depending on the state of the storage device, can have a low success rate. It is incredibly difficult, but possible, to carve files from drives that have a high amount of file fragmentation. The end result of successful file carving is the reconstruction of a file in such a way that its contents are fully present, although an acceptable result in some situations can be a partially reconstructed file if enough pertinent information is recovered.
In some instances, whether through hardware failure, human error or malicious attack, the file system of a storage device and all the information on it can be erased. Depending on how the information was removed, the disk itself might still contain all the information that previously was present, but in an unordered, disorganized stream of bytes. One mechanism that makes file carving possible is that, when many filesystems erase a file from a drive, they do not remove the data but instead mark that area of the disk as being available for new files. The old data remain until they are overwritten and, even in that case, there still is a chance that it can be recovered.
A very basic technique used in file carving involves stepping through blocks of information on a disk looking for file signatures. These are structured pieces of data that indicate the start of a file of a particular type. One example is the start of an image file that might contain the width and height of the image and some color palette data. Should a block of data that cleanly matches the heading of a file type be found, then an attempt to interpret the data following the header is made to see if it actually is the file data. If successful, this could lead to the reconstruction of the original file.
A complication that occurs in file carving has to do with files that are fragmented, meaning the file is stored at two or more different physical locations on a disk. Some techniques do not attempt to reconstruct these types of files. Other methods use existing knowledge of filesystems to attempt to approximate where the other portions of a file might be located, although this process is very difficult.